SF Municipal Railway restores systems after ransomware attack

The San Francisco Municipal Transportation Authority restored its systems following a ransomware attack and claimed no data was compromised, despite conflicting claims from the hacker responsible.

The San Francisco Municipal Transportation Authority (SFMTA) was hit with a ransomware attack the morning of Friday, Nov. 25. Kristen Holland, deputy spokesperson for the SFMTA, said in a blog post that ticket machines and fare gates in the Muni Metro subway stations were turned off as a precaution “to minimize any potential risk or inconvenience to Muni customers,” but the normal transit service was not affected.

“The malware used encrypted some systems mainly affecting office computers, as well as access to various systems. However, the SFMTA network was not breached from the outside, nor did hackers gain entry through our firewalls,” Holland wrote in a blog post, saying the attack primarily affected 900 office computers. “Muni operations and safety were not affected. Our customer payment systems were not hacked. Also, despite media reports, no data was accessed from any of our servers.”

A number of these details conflicted with claims made by the hacker behind the ransomware attack, who used the pseudonym Andy Saolis. Saolis demanded 100 bitcoins — approximately $73,000 USD — and provided a list of 2,112 SFMTA machines claimed to be under the hacker’s control, far more than the number given by the SFMTA.

Matthew Gardiner, cybersecurity strategist at Mimecast, based in Boston, told SearchSecurity the threat actor likely knew how much money the SFMTA stood to lose during the attack when setting the ransom.

“Most cybercrime groups are increasingly balancing the value of the system that they have locked down with the ease of just getting paid,” Gardiner said via email. “$73,000 is a number that was probably picked with the knowledge that they have locked down the ability of Muni to collect fares, which is on the order of $500,000 [per day], and thus $73,000 is relatively small price to pay, but still significant from the cybercriminals point of view.”

In an email to Salted Hash, the owner of the email address associated with the ransomware attack offered advice on how the SFMTA could fix the vulnerability used in the attack and threatened to release 30 GB of data, including contracts, employee data, customer and other data, if the ransom was not paid.

Although it is unclear if the information provided by the hacker is accurate or a bluff, Tim Erlin, senior director of IT security and risk strategy for Tripwire Inc., based in Portland, Ore., urged the SFMTA to be as transparent as possible.

“While Muni should definitely share their analysis of this breach, sharing incomplete information during an investigation will do little to help,” Erlin said. “Gaining a complete understanding of the extent and root cause of a breach can take a significant amount of time, as we’ve seen in other incidents. Muni is certainly not alone in falling victim to ransomware.”

Gardiner said it is risky to take the attackers at face value because “they have a financial incentive to stretch the truth,” but he warned this early in the investigation, the hacker may know more than the victim.

“It’s possible that the attacker has accurate numbers and the Muni, at the time of this statement, hadn’t yet discovered all of the impacted systems. Keep in mind ransomware, like other malware, can remain dormant until poked by the attacker,” Gardiner said, adding that knowing the details of exfiltrated data is also difficult. “The Muni may have been able to pull pieces of data together, such as from their firewalls, routers and system log files, to come to the determination that no data was stolen. But this level of forensic analysis takes deep forensic expertise, timely access to the data, as well as time to interpret.”

A security researcher claimed to have compromised the hacker’s email address and found evidence of multiple successful ransomware attacks in the past. According to information provided to security reporter Brian Krebs, hacked emails showed one “U.S.-based manufacturing firm” paid Saolis 63 bitcoins — approximately $45,000 — in ransom, and the hacker has extorted “at least $140,000 in bitcoin from victim organizations” since August.

Holland said the SFMTA contacted the Department of Homeland Security for aid with the ransomware and has been working with both the DHS and FBI for the investigation.

“The SFMTA has never considered paying the ransom. We have an information technology team in place that can restore our systems, and that is what they are doing,” Holland wrote. “Existing backup systems allowed us to get most affected computers up and running this morning, and our information technology team anticipates having the remaining computers functional in the next day or two.”

Experts roundly praised the SFMTA for having the system backups necessary to rebound from a ransomware attack. And Thomas Pore, director of IT and services for Plixer International in Kennebunk, Maine, told SearchSecurity he wasn’t worried about the SFMTA not having backups in place to restore systems, but did worry about the brand effect.

“I think that the dangers lie within the general public’s mind now that they are acutely aware of how easy it is for the degradation of the public transportation system. This situation will make many people uneasy and make them wonder if San Francisco really has control over transportation, or does someone else?” Pore asked. “I am hoping they will discover the manner in which the breach occurred and hopefully patch the system easily.”

Robert Capps, vice president of business development for NuData Security in Vancouver, B.C., said the ransomware attack on the San Francisco Muni “should serve as a wakeup call.”

“No organizations are immune to cyber-risks, and there is an urgent need for all organizations in every sector to look for ways to beef up their own security before they become victims of similar attacks. The costs of being unprepared can be extreme, even resulting in business closing,” Capps said. “Costs can be in terms of demands of dollar payments to release encrypted data, downtime costs, direct financial costs in terms of incident response, data loss, and in extreme cases where hospitals and medical organizations are involved, loss of life.”

Idan Udi Edry, CEO at Nation-E, said critical infrastructure was not designed with cybersecurity in mind, leading to more “real-world consequences” in digital attacks.

“One of the biggest, and often overlooked, areas of risk for cyberattacks in critical infrastructure exists in the convergence between the operational technology (OT) domain and the information technology domain,” Edry told SearchSecurity via email. “The nature of the risk occurs in the design, installation and functionality of serial infrastructure within the OT and the interface of the organization’s IT. Legacy systems that were built without cybersecurity in mind contain vulnerabilities in this interface, which makes them extremely susceptible to cyberattacks.”